“Hi. Just writing to let you know my trip to Manila, Philippines with my family has been a mess…I need you to loan me some money. I’ll refund it to you as soon as I arrive home.”

or…

“How are you and your family doing? hope this email find you all in good health and spirit. I am currently in Burkina Faso on vacation but i will return back as soon as possible due to my poor health. I have tried calling you severally but didn’t get through, please can you call me on … as soon as you get this email? I have something urgent i need to talk to you about.”

That is the kind of fake e-mail thousands of university employees get every year. It appears to come from a friend or a colleague, but is actually from a scammer on the other side of the world.

All these scams have the same story, they were out of the country, they’ve been robbed and they need assistance now, or they are ill, or in some sort of trouble and need your help… This trick relies on good natured people willing to help a friend.

The Stranded Traveler scam is a way to profit from hacking into someone’s webmail account – like Yahoo!Mail, Hotmail or GMail.

This usually happens when somebody has a simple, easily guessable password on their webmail account, or they have left their details on a phishing site.

Once the scammer has gained control of the “mule’s” email account, they log into the webmail account and:

Change the webmail password so the real user can’t login.

Grab a copy of all the contacts either from the contacts list or individual messages.

Send the ‘stranded traveler’ message out to the contacts and hope for replies with money transfer details.

Meantime the real owner of the webmail account is probably unaware there’s a problem until they try to login to their email. Even then, they probably think they’ve forgotten the password rather than being hacked. It’s only when a friend contacts them directly that the scam is revealed – usually far too late.

How to protect yourself: There are various things you can do to prevent being a victim of this scam, either having your webmail hacked or receiving scam emails.

Don’t click on attachments in emails from strangers, or if they are from someone you know but look suspicious.

Have a complex, hard to guess password. Dictionary words aren’t enough. Preferably a mix of upper and lower case letters plus digits and other characters like (!@#$%^&*)

Don’t reveal the password to anyone, and be careful of email messages that pretend to come from the webmail provider. Phishing messages are the most common way that people giveaway their passwords.

If you get an urgent email from a friend, especially one asking for money, check with them using other means. Try to call them or check with mutual acquaintances to see if the story is true beyond what you’ve learnt in the email. At worst, you could reply and ask for some information only the real sender would know (keep in mind that the scammer can read/search the hacked webmail account).

So how do scammers get your email password?

Phishing websites: Typically a victim receives a message that appears to have been sent by a known contact or organization. An attachment or links in the message are clicked onby the victim and they are directed to a malicious website set up to trick them into divulging personal information, such as usernames & passwords.

Trojan programs: If you click on an attachment in an unknown email, it can trigger your computer to download a “Trojan” program that then allows cyber criminals to see every key stroke you make –including your email password.

Password breaker program: Often called a “brute force program,” this is software bad guys use to try every combination of numbers and letters until they hit on your password.

Email addresses used as logons: You know how many websites have you set up an account using your email address as your User ID? If you then use the same password for that account that you use for email, criminals have what they need: your email address and your password.

According to the South African Banking Risk Information Centre (SABRIC), South Africans lose in excess of R2.2bn to internet fraud and phishing attacks annually!

This gives South Africa the embarrassing status of having the third highest number of cybercrime victims worldwide!

South Africa has suffered more cybercrime attacks than any other country in Africa.

Antonio Forzieri, Cyber Security Practise Lead: EMEA at Symantec, is quoted as saying that “one in 214 emails sent in South Africa during 2014 was a spear-phishing attack.”

This morning’s attack on the University of Stellenbosch was a spear-phishing attack. (“spear-phishing” is not a new water sport!)

Phishing emails target a broad group of users in hopes of catching a few victims but spear-phishing emails are far more focussed.

SPEAR-PHISHING is where the perpetrator targets a specific person or organisation – like the university. This takes the form of emails addressed to you, ostensibly from within the organisation using an internal e-mail account. It looks familar and appears legitimate!

This morning’s attack came in the form of an e-mail, disguised as being sent from a trusted source, (a known university e-mail address) and tried to fool victims into voluntarily disclosing sensitive information such as usernames and passwords, by encouraging people to open a link that took them to a site that was disguised to look like the university’s webmail login page.

Most spear phishing emails have a “call to action” as part of their tactics, which an effort to encourage the receiver into opening a link or attachment or suffer some consequence: “We have detected your mail settings are out of date…Sign in and automatically update your mailbox…”

What was concerning about this morning’s attack, was that the perpetrators had registered a South Africa domain name (which can only be done South Africa) using a name very similar to Stellenbosch, and by including the university’s network acronym, SUN in the domain name! This was not a random attack. It was focussed and judging by the amount of e-mail addresses it was sent to, was specifically engineered to compromise the university network.

What can we do?

Prevention always begins with educating all employees about the new reality of spearphishing attacks. By now, everyone should know about the old-style phishing emails, full of typos and promises of unearned millions – they are no longer your main worry. New spear-phishing emails are handcrafted by professional criminal gangs that know exactly how to tailor their work to seem like a legitimate email coming from someone that your colleagues trust.

Always ask for independent confirmation(such as a phone call or IM) before clicking and running any executable or opening any unexpected document. A quick confirmation is simply due diligence today.

Report anything suspicious. If you accidentally executed anything that you later became suspicious about, you should report it as well. It is important to remove the stigma and embarrassment of being fooled. Anyone, even security experts, can be tricked today, given the sophistication of the attacks.

Start to aggressively test employees with fake phishing attempts. These attempts should use phishing email templates that are more sophisticated and less like the phishing attempts of the past.

Keep testing individual employees until you get a very low percentage of easily compromised employees. If you do it right, you’ll have your employees questioning any unexpected emails asking for credentials or to execute programs. Having employees question your legitimate emails is a welcome symptom of a good education program.

Lastly, if a spearphishing attempt is successful in your institution, then use the actual phishing email and the compromised employee’s testimony (if they are well liked and trusted) to help teach others about today’s spearphishing environment. Anything that brings the new lessons into focus is welcome.

The key to prevention is getting everyone to see that today’s spearphishing email is not what they were used to in the past.

As if the recent ransomware scares and cleverly disguised phishing scams weren’t enough to keep you up at night, password breaches continue to make news.

Although “online safety” feels more and more like an oxymoron these days, there are still steps you can take to protect yourself when breaches like this occur. It all starts with getting rid of those overly used, poorly designed passwords you know are terrible but you use anyway.

The most secure password in the world is useless if a hacker steals it, but the real problem comes if it is the same password you use for every single log-in.

In other words, it’s essential that you employ a different password everywhere you conduct online affairs.

The well-known data breach repository “Have I Been Pwned”, has recently released a database of over 306 million passwords contained in multiple data breaches.

Previously I used the “Have I Been Pwned” website, by entering my work email address to check if one of my accounts had been compromised by hackers in a data breach.

I was shocked to find out that two of my online accounts, one with Adobe and another with vBulletin, had been compromised by a data breach. My username, passwords and other personal information had been obtained and made publically available by hacker groups.

Embarassing!

Last week, the process for checking the safety of your passwords was given a helping hand by the creator of the Have I Been Pwned site:

A dedicated Passwords page has been added to the website, allowing users to check a password against a database of 306 million passwords.

The passwords contained in the list were compromised in various data breaches, making them accessible to hackers and other attackers.

While you may be tempted to enter your current passwords into the Have I Been Pwned website, you should never enter current active passwords into any third-party service.

The Passwords page allows you to compare potential new passwords against the database of compromised keys to determine their security. I found it very useful, giving me the peace-of-mind that my current method of creating passwords was relatively safe – for now!